Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Priv
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Installed AntiVirus Enumeration',
14
        'Description' => %q{
15
          This module will enumerate the AV products detected by WMIC
16
        },
17
        'License' => MSF_LICENSE,
18
        'Author' => [ 'rageltman <rageltman[at]sempervictus>' ],
19
        'Platform' => %w[win],
20
        'SessionTypes' => [ 'meterpreter', 'shell' ],
21
        'Notes' => {
22
          'Stability' => [CRASH_SAFE],
23
          'Reliability' => [],
24
          'SideEffects' => []
25
        }
26
      )
27
    )
28
  end
29

30
  # Run Method for when run command is issued
31
  def run
32
    if command_exists?('wmic') == false
33
      print_error("The 'wmic' command doesn't exist on this host!") # wmic is technically marked as deprecated so this command could very well be removed in future releases.
34
      return
35
    end
36
    avs = {}
37
    cmd = 'wmic /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get * /value'
38
    resp = cmd_exec(cmd, nil, 6000).to_s
39
    fail_with(Failure::Unknown, resp) if resp[0..5].upcase == 'ERROR:'
40
    resp.split("\r\r\n\r\r\n").map do |ent|
41
      next if ent.strip.empty?
42

43
      print_status("Found AV product:\n#{ent}\n")
44
      av_note = ent.lines.map(&:strip).map.select { |e| e.length > 1 }.map { |e| e.split('=', 2) }.to_h
45
      avn = av_note.delete('displayName')
46
      avs[avn] = av_note
47
    end
48
    report_note(host: target_host, type: 'windows.antivirus', data: avs, update: :unique_data)
49
  end
50
end
51

52